CVE-2022-26986
Description
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in ImpressCMS 1.4.3 and earlier allows unauthenticated remote attackers to read/modify database and potentially upload webshells.
Vulnerability
ImpressCMS versions 1.4.3 and earlier contain a SQL injection vulnerability in an unspecified parameter. This allows attackers to inject malicious SQL code via HTTP requests. The vulnerability exists due to insufficient sanitization of user-supplied input. [1]
Exploitation
An attacker can exploit this by sending crafted HTTP requests to the vulnerable endpoint. No authentication is required. The provided exploit demonstrates remote code execution by uploading a webshell via SQL injection into a file write operation. [3]
Impact
Successful exploitation allows reading and modifying sensitive database information. If the database user has file write privileges (misconfiguration), the attacker can upload a webshell, leading to full system compromise. [1]
Mitigation
Upgrade to ImpressCMS 1.4.4 or later. The project's GitHub repository shows version 2.0.3 available. No workaround is documented. Ensure the database user has minimal privileges to mitigate webshell uploads. [1][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
impresscms/impresscmsPackagist | <= 1.4.3 | — |
Affected products
2- ImpressCMS/ImpressCMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.